Hey, guys, This is your penguin, Welcome back to the linuxcan. In this article, I am going to be talking about SSH. How to install ssh server and secure ssh server. So let’s get started first of all with establishing what SSH client and server we are going to be using. So in our case, we want to be using openssh. Which is pretty much the go-to SSH client and server solution. It’s completely open-source and it’s one of these great services. So that was developed by the BSD team.
We must, first of all, understand the connection type or the connection model with SSH. The SSH is primarily a client-server connection model. So that means you need the client software to connect to the server software in our case we need to install the OpenSSH client service all the client package on our client machine. The OpenSSH server package on our server. For server and client, I am currently using ubuntu 20.04
Install ssh server and client
To install OpenSSH on the server. open terminal and run command sudo apt-get install openssh-server
TO install client run command sudo apt-get install openssh-client. This will install both client and server openssh version.
The open ssh client configuration file is found. (/etc/ssh/ssh_config). and the sshd_config file is for the openssh server configuration file. In the ssh directory, we can also see public and private keys also. we’ll get into that in a second. we don’t need to complicate this right now.
Let’s take a look at ssh_config or client config file. Here you can the client config options are quite straightforward in regards to what you can enable and disable. So you can specify the port the protocol and various other bits of you know configurations here. That’s not within the scope of the article. But I just wanted to get to that. So my remote server is running openssh-server which IP is 192.168.1.254.
Disable remote root login to secure ssh server.
For client we already have an admin user on that system. So with this admin machine ip is 192.168.1.113. All right. Now that we have this both the piece of software installed on the client and the server. We can talk about configuring the SSH right so. Pretty much when dealing with the remote server and remote authentication. The first thing you need to do is you need to disable root logins. Because the root user account is extremely powerful because it really has no restrictions in regards to what it can do so that’s all first order of business here and this can be done by modifying. The openssh-server configuration file.
openssh-server configuration file
So to do that open openssh-server configuration file with vim or your favorite text editor. the location of file i tell you in /etc/ssh/sshd_config.
So you can see this is the OpenBSD openssh configuration file. And it tells you here this is an ssh server system-wide configuration files. so the first thing we do is we can let’s take a look at some of the various configurations you can set.
You can change the default port. This is great for those of you who want to set up a honeypot on that exact port like port 22 and then have SSH run on another port like 9999. You can do that as well. You can also change the listen to address if you want to. The host key names let’s talk about let’s go down into logging you can play around with login. I’ll talk about logs probably in another article. And below down the logs, We have authentication alright so within the authentication.
You can see we have an option called permit root login right and we want to change this. To change this uncomment this line uncomment means just delete the hash sign to enable the setting right.
More settings to do in the file.
We can also play around with the grace time. We can increase or decrease it based on the time you want provide that we can keep a strict modes to yes in regards. The Max authentication tries we can change this default to 3 or what you want to. this will help you to protect against brute froce attack. Here we can change max session at same time the default value is 10 we can set to 4 or it depends on you.
Setting up public and private keys for ssh server autentication.
Now next setting is for public key authentication yes. let’s go all the way down now. And we’re primarily looking for password authentication. So we’ll talk about this when we are going to be setting up SSH keys so for now we’ve essentially disabled. root login. If I just save the the file. you know whenever you make changes to the opennessh server configuration file we need to restart the openssh server to read the new configration. So to do this we will use systemd. To restart any service ypu have superuser permission. So we restart the service with sudo systemctl restart sshd.service.
All right so now pretty much if we just open up a new tab on my clients and I try and login to the root user account with ssh. ssh [email protected] hit enter and give the password for root. But you get the permission denied. You’ll see pretty much that we will not be able to do it. That is pretty much going to block any root logins to remotely.
Disable or lock the password for the root to secure ssh server
Now the other thing we want to do is we want to disable or want to lock the password for the root account. This will ensure that even though a person or an attacker may have the password the legitimate password. They can get through it through another user account because remember if a user gets to access to the admin account via ssh. They can easily switch to the root user account. So we also have to disable the password for root. This will pretty much lock the account unless we have the privileges to actually change the password manually and to unlock it. But it’s a great way you know protecting yourself from script kiddies. So what we can do is we can say we can use the password command. To lock any user use passwd command with l.
Password l and we specified the account. The account was possibly want to lock and we hit enter. We need to do sudo privileges sudo -l root hit enter and the password expiry information exchange. we can check this with sudo -S root and press enter and this will show you password is lock.
Protected from brute force attacks
Now the second step would be to disable password authentication and to use SSH keys which is exactly what I’m going to show you right now. So that will pretty much ensure that you’re protected from brute force attacks. Because you’re pretty much ensuring that you cannot log in to this ssh server without an SSH key.
What we’ll do is we will create a new ssh key here and this is very easy to do. So first of all we need to establish. What user account we’re going to be using. Because we have already locked out the root account and once we set up the ssh keys will be pretty much logging into the admin user account. The SSH keys or the ssh key based authentication will only allow us to access the admin account. After which we will modify the opennessh server configuration file to disable all password authentication.
Generate new ssh key.
So what we’ll do is we’ll say ssh-keygen -t rsa hit enter. Its gonna ask us for generating public-private RSA key pair. Enter the file in which to save the keys. you can give the custom path here. We’ll just leave the default in this directory and hit enter. That we can passphrase that’s always recommended. It’ll also be added an additional level of security to your SSH key because remember. This SSH key has to be kept secret. So we can see that the keys have been copied into a home directory and SSH directory there so preety much what we can do now. Is if we change our directory into the SSH directly here you can see that we have the public and private keys right over there.
copy the public key onto the server.
So what we need to do now is we need to copy the public key onto the server. So let me just explain how SSH works really quickly. How the ssh authentication works. so you store your public key on to the server and you have your private key with you and the private key is the most important as it’s the pretty much the key that would allow you to authenticate successfully with the server.
So you need to keep it secure and backed up in the event you lose it you lose access to the server. That’s very important right so essentially what going to happen here. Are your private keys used for encryption? Your ssh server will send a random string of data to you. The ssh client after which the ssh client will encrypt. That a random string of data with the private key and sends the encrypted data to the server. The server will then use your public key to decrypt it. If they match then your connection established with the server.
How to copy ssh key to server
What we can do now is we need to copy this ssh key to server. To to this we use ssh-copy-id [email protected] It’s going to ask that users password.
It’s going to tell us the number of keys added to the server. We can also try logging into the machine with this ssh [email protected] After this, we do not need the password to log in. But before we do that we need to disable password authentication with SSH. So to do this again we have to change the configuration file of the ssh server. to do this open sshd_config file and change the password authentication tag to no. This will essentially disable the ability for you to log in to this remote server via SSH with passwords. Now restart the sshd service with systemctl restart sshd.service.
This is how you set up ssh and set up key-based authentication.